Re: [cryptography] Merkle Signature Scheme is the most secure signature scheme possible for general-purpose use

2010-09-03 Thread Marsh Ray
On 09/03/2010 03:45 AM, Ben Laurie wrote: That's the whole point - a hash function used on an arbitrary message produces one of its possible outputs. Feed that hash back in and it produces one of a subset of its possible outputs. Each time you do this, you lose a little entropy (I can't

Re: [cryptography] stream MAC - does anything like it exist?

2010-09-15 Thread Marsh Ray
On 09/15/2010 01:37 AM, J.A. Terranson wrote: Clearly, your hearing is impaired. Anonymous travel is becoming nigh impossible within the United States. If I have a current plate on my car, a driver's license in my pocket, and money for gas I can drive just about anywhere I want. Every few

Re: [cryptography] storage systems as one-way protocols

2010-10-05 Thread Marsh Ray
On 10/05/2010 02:04 PM, travis+ml-rbcryptogra...@subspacefield.org wrote: I don't know if anyone else noticed this but... Storage systems are basically a subclass of protocols; they're unidirectional (with no acknowledgements). IOW, you're sending messages to yourself at some (future) point in

Re: [cryptography] Tahoe-LAFS developers' statement on backdoors

2010-10-06 Thread Marsh Ray
On 10/06/2010 06:42 PM, silky wrote: The core Tahoe developers promise never to change Tahoe-LAFS to facilitate government access to data stored or transmitted by it. Even if it were desirable to facilitate such access—which it is not—we believe it would not be technically feasible to do so

Re: [cryptography] NSA's position in the dominance stakes

2010-11-18 Thread Marsh Ray
On 11/18/2010 04:21 PM, Adam Back wrote: So a serious question: is there a software company friendly jurisdiction? As weird as it sounds, it seems that most politicians seem to think of patents as being business friendly and lump them together under this nebulous concept of intellectual

Re: [cryptography] philosophical question about strengths and attacks at impossible levels

2010-11-24 Thread Marsh Ray
On 11/24/2010 02:11 PM, coderman wrote: On Wed, Nov 24, 2010 at 2:49 AM, Marsh Rayma...@extendedsubset.com wrote: (that's the abridged version. this is actually more complicated than many assume, and i've written my own egd's in the past to meet need.) Ya. How does this feature interact

Re: [cryptography] Generating passphrases from fingerprints

2010-12-04 Thread Marsh Ray
On 12/04/2010 03:08 PM, Jens Kubieziel wrote: Hi, recently I had a discussion about biometric data. The following problem occured: Assume someone wants to register at a website. He swipes his finger over his fingerprint reader. The reader generates strong passphrase from the fingerprint and

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-14 Thread Marsh Ray
On 12/14/2010 09:11 PM, Rayservers wrote: Moral: never depend on only one network security layer, and write and verify your own crypto. Recall Debian and OpenSSL. I think it's too early to draw conclusions from this. I spent a good bit of time going through a bunch of the OpenBSD CVS

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-15 Thread Marsh Ray
On 12/15/2010 01:38 AM, Peter Gutmann wrote: This is one of those things where those who know the truth won't be able to talk about it, and those who can openly talk about it don't know the truth. Having pointed out that distinction, I'll now talk about it :-). It violates the principle of

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-15 Thread Marsh Ray
On 12/15/2010 02:31 AM, Jon Callas wrote: But this way, the slur has been made in a way that is impossible to discuss. I think evidence is called for, or failing that, and actual description of the flaw. Hot off the presses. Haven't yet decided how much this counts for information. But he

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-16 Thread Marsh Ray
On 12/15/2010 02:36 PM, Jon Callas wrote: Facts. I want facts. Failing facts, I want a *testable* accusation. Failing that, I want a specific accusation. How's this: OpenBSD shipped with a bug which prevented effective IPsec ESP authentication for a few releases overlapping the time period

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-16 Thread Marsh Ray
On 12/16/2010 04:46 PM, Steven Bellovin wrote: I've known Angelos Keromytis since about 1997; he's now a colleague of mine on the faculty at Columbia. I've known John Ioannidis -- the other name attached to that code -- for considerably longer. I've written papers with both of them. To

Re: [cryptography] Fwd: [gsc] Fwd: OpenBSD IPSEC backdoor(s)

2010-12-17 Thread Marsh Ray
On 12/17/2010 09:46 AM, Kevin W. Wall wrote: I like it. And I propose that this be the 6 lines of code: int a; int b; int c; int d; int e; int f; OK, so what's your solution then? :-) Because of my style with C++, I've written lots of bugs

Re: [cryptography] OpenBSD IPSEC backdoor(s)

2010-12-18 Thread Marsh Ray
On 12/16/2010 04:09 PM, Marsh Ray wrote: http://code.bsd64.org/cvsweb/openbsd/src/sys/netinet/ip_esp.c.diff?r1=1.74;r2=1.75;f=h After reviewing the code. Here are my opinions: * Angelos Keromytis made huge contributions to OpenBSD by porting and enhancing the early IPsec implementation

Re: [cryptography] OpenBSD

2010-12-22 Thread Marsh Ray
On 12/22/2010 10:53 PM, David-Sarah Hopwood wrote: On 2010-12-22 18:39, Randall Webmail wrote: OpenBSD Founder Believes FBI Built IPsec Backdoor But Theo de Raadt said it is unlikely that the Federal Bureau of Investigation's Internet protocol security code made it into the final operating

Re: [cryptography] Alleged recovery of PS3 ECDSA private key from signatures

2011-01-01 Thread Marsh Ray
On 12/30/2010 05:41 AM, Peter Gutmann wrote: Francois Grieufgr...@gmail.com writes: According to a presentation made at the 27th Chaos Communication Congress, there is a serious bug in the code that was used to produce ECDSA signatures for the PS3: Haha, I just got a PS3 the other day. This

Re: [cryptography] anonymous surveys

2011-01-06 Thread Marsh Ray
On 01/06/2011 10:27 AM, travis+ml-rbcryptogra...@subspacefield.org wrote: On Thu, Jan 06, 2011 at 08:22:03AM -0800, travis+ml-rbcryptogra...@subspacefield.org wrote: Someone emailed into Security Now a while back, asking about workplace surveys that are supposed to be anonymous, but have a

Re: [cryptography] encrypted storage, but any integrity protection?

2011-01-15 Thread Marsh Ray
On 01/14/2011 06:13 PM, Jon Callas wrote: This depends on what you mean by data integrity. How about an attacker with write access to the disk is unable to modify the protected data without detection? In a strict, formal way, where you'd want to have encryption and a MAC, the answer is

Re: [cryptography] A REALLY BIG MITM

2011-01-26 Thread Marsh Ray
On 01/25/2011 09:50 PM, Peter Gutmann wrote: This isn't one of those namby-pamby one-site phishing MITMs, this is a MITM of an entire country: http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/ For those who don't want to

Re: [cryptography] True Random Source, Thoughts about a Global System Perspective

2011-01-28 Thread Marsh Ray
On 01/28/2011 05:43 AM, Daniel Silverstone wrote: On Thu, Jan 27, 2011 at 12:03:26PM +, Marsh Ray wrote: [Disclaimer: I work for Simtec and worked on the Entropy Key. We are honestly interested in frank and open discourse about the device and in that spirit, my comments follow.] Cool

Re: [cryptography] Tossing randomness back in?

2011-04-18 Thread Marsh Ray
On 04/18/2011 09:26 PM, Sandy Harris wrote: In many situations, you have some sort of randomness pool and some cryptographic operations that require random numbers. One concern is whether there is enough entropy to support the usage. Is it useful to make the crypto throw something back into the

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-05 Thread Marsh Ray
On 06/05/2011 08:57 PM, David G. Koontz wrote: On 5/06/11 6:26 PM, Peter Gutmann wrote: That's the thing, you have to consider the threat model: If anyone's really that desperately interested in watching your tweets about what your cat's doing as you type them then there are far easier attack

Re: [cryptography] Preserve us from poorly described/implemented crypto

2011-06-07 Thread Marsh Ray
On 06/07/2011 02:01 PM, J.A. Terranson wrote: On Tue, 7 Jun 2011, Nico Williams wrote: TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. Remember how well the original IBM PC clicky keyboard went over

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-09 Thread Marsh Ray
On 06/09/2011 12:14 PM, Paul Hoffman wrote: What is the current state of brute-force attacks on AES-128 blobs? Are there recent results where we can estimate the cost of brute-forcing 64-bit and 80-bit keys? The article is behind a paywall, but Google quotes the relevant statistic:

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-09 Thread Marsh Ray
On 06/09/2011 04:53 PM, Solar Designer wrote: On Thu, Jun 09, 2011 at 04:22:16PM -0500, Marsh Ray wrote: Which neatly fits 2^32 trials per watt-second. A real engineer would probably design the chips to minimize energy-per-trial, but I think our estimate is probably still within an order

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-09 Thread Marsh Ray
On 06/09/2011 08:08 PM, Solar Designer wrote: The rest of your numbers passed my double-checking just fine. BTW, 0.35 um process is not state of the art, so things might actually be even worse. (I never had an HP RPN calculator, but I still have two different Soviet-made programmable RPN

Re: [cryptography] Current state of brute-forcing random keys?

2011-06-10 Thread Marsh Ray
On 06/09/2011 11:44 PM, Solar Designer wrote: On Thu, Jun 09, 2011 at 04:22:16PM -0500, Marsh Ray wrote: The article is behind a paywall, but Google quotes the relevant statistic: http://scholar.google.com/scholar?cluster=14788671232027796805 The standard-cell implementation on a 0.35 ??m CMOS

[cryptography] Crypto-economics metadiscussion

2011-06-13 Thread Marsh Ray
I 'aint no self-appointed moderator of this list and I do find the subject of economics terribly interesting, but maybe it would make sense to willfully confine the scope of our discussion of Bitcoin and other virtual currencies to the crypto side of it. This list's previous incarnation had

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-14 Thread Marsh Ray
Also a discussion on this going on at http://news.ycombinator.com/item?id=2654586 On 06/14/2011 05:50 PM, Jack Lloyd wrote: I discovered this a while back when I wrote a bcrypt implementation. Unfortunately the only real specification seems to be 'what the OpenBSD implementation does'. That

Re: [cryptography] If this isn't a honey-pot, it should be

2011-06-15 Thread Marsh Ray
On 06/15/2011 12:00 PM, Jack Lloyd wrote: https://encryptur.com/ In fairness, this is no worse that downloading some random program off the internet and using it for the same purpose. But it is. If you download a 'random' program off the internet it's unlikely to have been targeted at you

Re: [cryptography] If this isn't a honey-pot, it should be

2011-06-15 Thread Marsh Ray
On 06/15/2011 01:43 PM, markus reichelt wrote: * Marsh Rayma...@extendedsubset.com wrote: Note that this site is sourcing Google analytics. ... so? A site can be no more secure than the places from which it sources script (or just about any resource other than images). In all

[cryptography] Nonlinear bias in subscription state. Re: not unsubscribing (Re: Unsubscribing)

2011-06-16 Thread Marsh Ray
On 06/16/2011 02:17 PM, Adam Back wrote: Trust me the noise level on here is zero compared to usenet news flame fests, spam, DoS etc. The maintainer is removing spam for one (I think). Anything looks acceptable if you're willing to set your standard of comparison low enough. Many of us aren't

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-20 Thread Marsh Ray
On 06/20/2011 12:55 PM, Solar Designer wrote: Yes, one lesson is that such pieces of code need more testing. Maybe fuzzing with random inputs, including binary data, comparing them against other existing implementations. There are certainly more bugs lurking where the complex rules of

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-21 Thread Marsh Ray
On 06/21/2011 10:27 AM, Nico Williams wrote: Martin Rex found the TLS renegotiation bug independently from Marsh Ray by thinking of how the SSPI is used to interface to TLS. The SSPI was so faithful to TLS that it really exposed the bug. Right, so one of the lessons learned here

Re: [cryptography] RDRAND and Is it possible to protect against malicious hw accelerators?

2011-06-21 Thread Marsh Ray
On 06/21/2011 12:18 PM, Ian G wrote: On 18/06/11 8:16 PM, Marsh Ray wrote: On 06/18/2011 03:08 PM, slinky wrote: But we know there are still hundreds of trusted root CAs, many from governments, that will silently install themselves into Windows at the request of any website. Some

Re: [cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

2011-06-22 Thread Marsh Ray
On 06/22/2011 07:17 AM, Peter Gutmann wrote: Crypto API designed by an individual or a single organisation: CryptoAPI: A handful of guys at Microsoft I always kind of thought this one looked like someone went a little wild with the UML modeling tools. PKCS #11: Someone at RSA (I've heard

Re: [cryptography] Digitally-signed malware

2011-06-22 Thread Marsh Ray
On 06/22/2011 09:40 AM, Steven Bellovin wrote: http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html Not surprising to most readers of this list, I suspect... The interesting thing is that

Re: [cryptography] Digitally-signed malware

2011-06-22 Thread Marsh Ray
On 06/22/2011 10:04 AM, Marsh Ray wrote: Code signing. Occasionally useful. I meant to add: It's usually more useful as a means for an platform vendor to enforce its policies on legitimate developers than as something which delivers increased security to actual systems. - Marsh

Re: [cryptography] Anti-GSS falsehoods (was Re: IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM))

2011-06-24 Thread Marsh Ray
On 06/24/2011 02:04 AM, Nico Williams wrote: Every bank that uses Active Directory uses Kerberos, and the GSS-like SSPI. And the Kerberos GSS mechanism (through SSPI, on Windows). The native Windows TLS implementation is accessed via SSPI. I've used/abused the Windows SSPI a few times for

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-26 Thread Marsh Ray
On 06/25/2011 03:48 PM, Ian G wrote: On 21/06/11 4:15 PM, Marsh Ray wrote: This was about the CNNIC situation, Ah, the I'm not in control of my own root list threat scenario. See, the thing there is that CNNIC has a dirty reputation. That's part of it. But there are some deeper issues

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-26 Thread Marsh Ray
On 06/26/2011 01:13 PM, The Fungi wrote: On Sun, Jun 26, 2011 at 12:26:40PM -0500, Marsh Ray wrote: [...] Now maybe it's different for ISP core router admins, but the existence of this product strongly implies that at least some admins are connecting to their router with their web browser over

Re: [cryptography] this house believes that user's control over the root list is a placebo

2011-06-26 Thread Marsh Ray
On 06/26/2011 05:58 PM, Ian G wrote: On 26/06/11 5:50 AM, Ralph Holz wrote: - you don't want to hurt the CAs too badly if you are a vendor Vendors spend all day long talking internally and with other vendors. Consequently, they tend to forget who holds the real money. For most healthy

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Marsh Ray
On 06/27/2011 06:30 PM, Sampo Syreeni wrote: On 2011-06-20, Marsh Ray wrot I once looked up the Unicode algorithm for some basic case insensitive string comparison... 40 pages! Isn't that precisely why e.g. Peter Gutmann once wrote against the canonicalization (in the Unicode context

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Marsh Ray
On 06/28/2011 10:25 AM, Nico Williams wrote: But doesn't the AAA server get the password in the clear? Not in cases like MS-CHAPv2. Most shops seem to require the use of it, having thrown out classic RADIUS PAP along with MS-CHAPv1. If so the server can make it right. Define 'right'

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Marsh Ray
On 06/28/2011 10:36 AM, Ian G wrote: On 28/06/11 11:25 AM, Nico Williams wrote: The most immediate problem for many users w.r.t. non-ASCII in passwords is not the likelihood of interop problems but the heterogeneity of input methods and input method selection in login screens, password input

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Marsh Ray
On 06/28/2011 12:01 PM, Paul Hoffman wrote: And this discussion of ASCII and internationalization has what to do with cryptography, asks the person on the list is who is probably most capable of arguing about it but won't? [1] It's highly relevant to the implementation of cryptographic systems

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Marsh Ray
On 06/28/2011 12:48 PM, Steven Bellovin wrote: Wow, this sounds a lot like the way 64-bit DES was weakened to 56 bits. It wasn't weakened -- parity bits were rather important circa 1974. (One should always think about the technology of the time. It's a very reasonable-sounding explanation,

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-28 Thread Marsh Ray
On 06/28/2011 02:09 PM, Sampo Syreeni wrote: But a case-insensitive password compare?!? For some reason I don't think anybody would want to go there, and that almost everybody would want the system to rather fail safe than to do anything but pass around (type-tagged) bits. I mean, would anybody

[cryptography] OFF LIST Re: Oddity in common bcrypt implementation

2011-06-29 Thread Marsh Ray
On 06/29/2011 04:01 AM, Ian G wrote: Or, talking about non-crypto security techniques like passwords is punishment for mucking up the general deployment of better crypto techniques. Nice. :-) - Marsh ___ cryptography mailing list

Re: [cryptography] OFF LIST Re: Oddity in common bcrypt implementation

2011-06-29 Thread Marsh Ray
Well I guess that wasn't off list after all. It's still nice tho. :-) On 06/29/2011 09:40 AM, Marsh Ray wrote: On 06/29/2011 04:01 AM, Ian G wrote: Or, talking about non-crypto security techniques like passwords is punishment for mucking up the general deployment of better crypto

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-29 Thread Marsh Ray
On 06/29/2011 06:49 AM, Peter Gutmann wrote: So far I've had exactly zero complaints about i18n or c18n-based password issues. [Pause] Yup, just counted them again, definitely zero. Turns out that most of the time when people are entering their passwords to, for example, unlock a private

Re: [cryptography] Oddity in common bcrypt implementation

2011-06-29 Thread Marsh Ray
fOn 06/29/2011 05:41 PM, Jeffrey Walton wrote: From my interop-ing experience with Windows, Linux, and Apple (plus their mobile devices), I found the best choice for password interoperability was UTF8, not UTF16. I use UTF-8 whenever possible, too. Just to be clear here, the native OS Win32

[cryptography] Is there a cryptanalyst in the house?

2011-06-29 Thread Marsh Ray
There's a new and improved botnet around that's got the tech press all a-flutter. http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot : The ‘indestructible’ botnet Encrypted network connections One of the key changes in TDL-4 compared to previous versions is an updated algorithm

Re: [cryptography] Bitcoin observation

2011-07-05 Thread Marsh Ray
On 07/05/2011 08:07 PM, Taral wrote: On Tue, Jul 5, 2011 at 3:53 AM, Adam Backa...@cypherspace.org wrote: I dont think you can prove you have destroyed a bitcoin, neither your own bitcoin, nor someone else's. To destroy it you would have to prove you deleted the coin private key, and you

Re: [cryptography] Bitcoin observation

2011-07-07 Thread Marsh Ray
On 07/07/2011 04:10 PM, Nico Williams wrote: In some (most?) public key cryptosystems it's possible to prove that a valid public key has a corresponding private key (that is, there exists a valid private key for which the given public key *is* the public key). That's used for public key

Re: [cryptography] preventing protocol failings

2011-07-12 Thread Marsh Ray
On 07/12/2011 04:24 PM, Zooko O'Whielacronx wrote: On Tue, Jul 12, 2011 at 11:10 AM, Hill, Bradbh...@paypal-inc.com wrote: I have found that when H3 meets deployment and use, the reality too often becomes: Something's gotta give. We haven't yet found a way to hide enough of the complexity of

Re: [cryptography] preventing protocol failings

2011-07-13 Thread Marsh Ray
On 07/13/2011 01:01 AM, Ian G wrote: On 13/07/11 9:25 AM, Marsh Ray wrote: But the entire purpose of securing a system is to deny access to the protected resource. And that's why it doesn't work; we end up denying access to the protected resource. Denying to the attacker - good. Denying

[cryptography] PuTTY 0.61 (ssh-keys only and EKE for web too (Re: preventing protocol failings))

2011-07-13 Thread Marsh Ray
I normally wouldn't post about any old software release, but with the recent discussion of SSH and authentication these release notes from PuTTY seem appropriate. - Marsh http://lists.tartarus.org/pipermail/putty-announce/2011/16.html It's been more than four years since 0.60 was

Re: [cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

2011-07-13 Thread Marsh Ray
On 07/13/2011 01:33 PM, Jeffrey Walton wrote: I believe Mozilla is [in]directly supported by Google. Mozilla has made so much money, they nearly lost their tax exempt status: http://tech.slashdot.org/story/08/11/20/1327240/IRS-Looking-at-GoogleMozilla-Relationship. Mozilla has a lot of cash

Re: [cryptography] OTR and deniability

2011-07-15 Thread Marsh Ray
On 07/14/2011 01:59 PM, Steven Bellovin wrote: did the first party hack into the second party's computer and plant the log file? had someone else hacked into it and used it to talk with the first party? -- but that's also outside the crypto protocol. Put another way, the goal in a trial is

Re: [cryptography] OTR and deniability

2011-07-15 Thread Marsh Ray
On 07/13/2011 09:37 PM, Ai Weiwei wrote: Hello list, Recently, Wired published material on their website which are claimed to be logs of instant message conversations between Bradley Manning and Adrian Lamo in that infamous case. [1] I have only casually skimmed them, but did notice the

Re: [cryptography] OTR and deniability

2011-07-16 Thread Marsh Ray
On 07/15/2011 11:21 PM, Ian Goldberg wrote: Just to be clear: there are _no_ OTR-related mathematical points or issues here. The logs were in plain text. OTR has nothing at all to do with their deniability. It's a good bet the entirety of the informant's PC was acquired for computer

Re: [cryptography] bitcoin scalability to high transaction rates

2011-07-20 Thread Marsh Ray
On 07/20/2011 08:24 AM, Ian G wrote: Yes, sure, but: 1. we are talking about high frequency trading here, and speed is the first, second and third rule. Each trade could be making 10k++ and up, which buys you a lot of leaches. Basically, you have to get the trade down to the cost of a packet,

Re: [cryptography] bitcoin scalability to high transaction rates

2011-07-21 Thread Marsh Ray
On 07/21/2011 10:41 AM, Sampo Syreeni wrote: HST is just an example of a mechanism which creates prodigious amounts of transaction data. There are others, starting simply with wide enough adoption of Bitcoin. So if the amount of transaction data being shipped around can become a bottleneck here,

Re: [cryptography] [OT] -gate (Re: An appropriate image from Diginotar)

2011-09-02 Thread Marsh Ray
On 09/02/2011 10:29 AM, Harald Hanche-Olsen wrote: The -gate suffix is getting tiresome, actually. I tend to agree with this: http://www.ajr.org/article.asp?id=5106 Ever since a certain third-rate burglary in Washington, D.C., many years ago, journalists have insisted on sticking the

Re: [cryptography] *.google.com certificate issued by DigiNotar

2011-09-02 Thread Marsh Ray
On 09/02/2011 12:55 PM, coderman wrote: the next escalation will be sploiting private keys out of hardware security modules presumed impervious to such attacks. given the quality of HSM firmwares they're lucky cost is somewhat a prohibiting factor for attackers. authority in the wild, not

Re: [cryptography] OT: Dutch Government: Websites' Safety Not Guaranteed

2011-09-03 Thread Marsh Ray
On 09/03/2011 06:13 PM, Jeffrey Walton wrote: http://abcnews.go.com/Technology/wireStory?id=14441405 The Dutch government said Saturday it cannot guarantee the security of its own websites, days after the private company it uses to authenticate them admitted it was hacked. An official also said

Re: [cryptography] Diginotar broken arrow as a tour-de-force of PKI fail

2011-09-05 Thread Marsh Ray
Preliminary report on-line: http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/fox-it-operation-black-tulip.html - Marsh ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] Diginotar Lessons Learned (long)

2011-09-07 Thread Marsh Ray
On 09/07/2011 10:00 AM, Peter Gutmann wrote: Ian Gi...@iang.org writes: Hence, the well-known race-to-the-bottom, which is a big factor in DigiNotar. Actually I'm not sure that DigiNotar was the bottom, since they seem to have been somewhat careful about the certs they issued. The bottom

Re: [cryptography] GlobalSign temporarily ceases issuance of all certificates

2011-09-07 Thread Marsh Ray
On 09/07/2011 02:34 PM, Fredrik Henbjork wrote: http://www.globalsign.com/company/press/090611-security-response.html This whole mess just gets better and better... What's interesting is how the attacker simply doesn't fit the expected motivations that SSL cert-based PKI was ever sold as

Re: [cryptography] After the dust settles -- what happens next? (v. Long)

2011-09-11 Thread Marsh Ray
On 09/11/2011 07:26 PM, Paul Hoffman wrote: Some of us observe a third, more likely approach: nothing significant happens due to this event. The collapse of faith is only among the security folks whose faith was never there in the first place. A week after the event, who was talking about it

Re: [cryptography] After the dust settles -- what happens next? (v. Long)

2011-09-12 Thread Marsh Ray
On 09/11/2011 11:24 PM, Paul Hoffman wrote: On Sep 11, 2011, at 6:40 PM, Marsh Ray wrote: On 09/11/2011 07:26 PM, Paul Hoffman wrote: Some of us observe a third, more likely approach: nothing significant happens due to this event. The collapse of faith is only among the security folks whose

Re: [cryptography] PKI - and the threat model is ...?

2011-09-12 Thread Marsh Ray
On 09/12/2011 01:45 PM, M.R. wrote: The system is not expected to protect individual liberty, life or limb, nor is it expected to protect high-value monetary transactions, intellectual property assets, state secrets or critical civic infrastructure operations. It never was, and yet, it is

Re: [cryptography] Let's go back to the beginning on this

2011-09-13 Thread Marsh Ray
On 09/13/2011 01:31 PM, Seth David Schoen wrote: An example from yesterday was https://www.senate.gov/ which had a valid cert a while ago and then recently stopped. (Their HTTPS support was reported to us as working on June 29; according to Perspectives, the most recent change apparently

Re: [cryptography] Let's go back to the beginning on this

2011-09-14 Thread Marsh Ray
On 09/14/2011 09:34 PM, Arshad Noor wrote: On 9/14/2011 2:52 PM, Seth David Schoen wrote: Arshad Noor writes: I'm not sure I understand why it would be helpful to know all (or any) intermediate CA ahead of time. If you trust the self-signed Root CA, then, by definition, you've decided to

Re: [cryptography] Let's go back to the beginning on this

2011-09-15 Thread Marsh Ray
On 09/15/2011 12:15 PM, Ian G wrote: Trust in a CA might be more like 99%. Now, if we have a 1% untrustworthy rating for a CA, what happens when we have 100 CAs? Well, untrust is additive (at least). We require to trust all the CAs. So we have a 100% untrustworthy rating for any system of 100

[cryptography] Another data point on SSL trusted root CA reliability (S Korea)

2011-09-17 Thread Marsh Ray
Been seeing Twitter from @ralphholz, @KevinSMcArthur, and @eddy_nigg about some goofy certs surfacing in S Korea with CA=true. via Reddit http://www.reddit.com/tb/kj25j http://english.hani.co.kr/arti/english_edition/e_national/496473.html It's not entirely clear that a trusted CA cert is

Re: [cryptography] Another data point on SSL trusted root CA reliability (S Korea)

2011-09-17 Thread Marsh Ray
On 09/17/2011 09:03 PM, Arshad Noor wrote: On 09/17/2011 06:37 PM, Marsh Ray wrote: It's not entirely clear that a trusted CA cert is being used in this attack, however the article comes to the conclusion that HTTPS application data is being decrypted so it's the most plausible assumption

Re: [cryptography] Math corrections [was: Let's go back to the beginning on this]

2011-09-17 Thread Marsh Ray
On 09/17/2011 11:59 PM, Arshad Noor wrote: The real problem, however, is not the number of signers or the length of the cert-chain; its the quality of the certificate manufacturing process. No, you have it exactly backwards. It really is the fact that there are hundreds of links in the chain

Re: [cryptography] The Government and Trusted Third Party

2011-09-18 Thread Marsh Ray
On 09/18/2011 05:32 AM, Jeffrey Walton wrote: The one thing I cannot palette: [many] folks in Iran had a preexisting relationship with Google. For an Iranian to read his/her email via Gmail only required two parties - the person who wants to do the reading and the Gmail service. Why was a third

Re: [cryptography] Math corrections

2011-09-18 Thread Marsh Ray
On 09/18/2011 12:50 PM, Arshad Noor wrote: On 09/17/2011 10:37 PM, Marsh Ray wrote: It really is the fact that there are hundreds of links in the chain and that the failure of any single weak link results in the failure of the system as a whole. I'm afraid we will remain in disagreement

Re: [cryptography] Math corrections

2011-09-19 Thread Marsh Ray
On 09/18/2011 11:48 PM, Arshad Noor wrote: On 09/18/2011 01:12 PM, Marsh Ray wrote: But the failure of *any* single CA allows a successful attack on *every* user connecting to *every* https website. Would you care to explain this in more detail, Marsh? Please feel free to frame your

Re: [cryptography] SSL is not broken by design

2011-09-19 Thread Marsh Ray
On 09/19/2011 10:53 AM, Andy Steingruebl wrote: You know what else fails at fighting phishing? - The locks on my car door Hmmm, what would a phishing attack on your car door locks look like? Perhaps someone could replace your car one night with a very similar-looking one, then when you're

Re: [cryptography] DigiNotar SSL Hack Diagram | Cyber Chatter

2011-09-20 Thread Marsh Ray
On 09/20/2011 03:21 PM, Jeffrey Walton wrote: Google's smart phone position (http://code.google.com/p/cyanogenmod/issues/detail?id=4260): Why would we remove the root certificate? DigiNotar hasn't been revoked as a CA... MITM attacks are pretty rare. (Sep 1, 2011). On Sept 2, 2011 the issue

Re: [cryptography] PFS questions (was SSL *was* broken by design)

2011-10-03 Thread Marsh Ray
On 10/02/2011 03:38 AM, Peter Gutmann wrote: Sandy Harrissandyinch...@gmail.com writes: What on Earth were the arguments against it? I'd have thought PFS was a complete no-brainer. Two things, it's computationally very expensive, and most people have no idea what PFS is. There's been one

Re: [cryptography] PFS questions (was SSL *was* broken by design)

2011-10-03 Thread Marsh Ray
On 10/03/2011 01:37 PM, Jon Callas wrote: At the risk of feeding the conspiracy angle, I note that there is only one stream cipher for SSL/TLS (RC4). All the others in common use are CBC modes, with that same predictable IV weakness as IPsec (i.e. BEAST). There are no DHE cipher suites defined

Re: [cryptography] PFS questions (was SSL *was* broken by design)

2011-10-04 Thread Marsh Ray
On 10/04/2011 09:25 AM, Bodo Moeller wrote: There's TLS_ECDHE_RSA_WITH_RC4_128_SHA. Thanks! That is informative and helpful. Seriously. http://tools.ietf.org/html/rfc4492 Unfortunately, it looks like because it was only standardized 5.5 years ago *sigh* it's not available in my server

Re: [cryptography] PFS questions (was SSL *was* broken by design)

2011-10-05 Thread Marsh Ray
On 10/05/2011 07:57 AM, ianG wrote: This thread originated in a state-led attack on google and 4 CAs (minimum) with one bankruptcy, one state's government certificates being replaced, measured cert uses (MITMs?) in the thousands. Just for the record, the Fox-IT Interim Report September 5,

Re: [cryptography] For discussion: MECAI: Mutually Endorsing CA Infrastructure

2011-10-21 Thread Marsh Ray
On 10/21/2011 08:09 AM, Kai Engert wrote: This is an idea how we could improve today's world of PKI, OCSP, CA's. https://kuix.de/mecai/ This is great. We need these kinds of ideas. Review, thoughts and reports of flaws welcome. OK, this is a serious thought, not just a flippant remark:

Re: [cryptography] HMAC over messages digest vs messages

2011-11-02 Thread Marsh Ray
On 11/02/2011 02:33 PM, Jack Lloyd wrote: It seems like it would be harder (or at least not easier) to find a collision or preimage for HMAC with an unknown key than a collision or preimage for an unkeyed hash, so using HMAC(H(m)) allows for an avenue of attack that HMAC(m) would not, namely

[cryptography] Declassified NSA Tech Journals

2011-11-27 Thread Marsh Ray
Came across this on Reddit: Declassified NSA Tech Journals http://www.nsa.gov/public_info/declass/tech_journals.shtml It all looks so interesting it's hard to know where to start. - Marsh * Emergency Destruction of Documents - April 1956 - Vol. I, No. 1 * Development of Automatic Telegraph

Re: [cryptography] Non-governmental exploitation of crypto flaws?

2011-11-27 Thread Marsh Ray
Steven Bellovins...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries.

Re: [cryptography] 512-bit certs used in attack

2011-11-27 Thread Marsh Ray
On 11/27/2011 09:57 PM, Peter Gutmann wrote: That's an example of *claims* of 512-bit keys being factored, with the thinking being everyone knows 512-bit keys are weak, the certs used 512-bit keys, therefore they must have got them by factoring. Yeah. It seems like an important point.

Re: [cryptography] Non-governmental exploitation of crypto flaws?

2011-11-28 Thread Marsh Ray
On 11/28/2011 04:56 PM, Steven Bellovin wrote: I'm writing something where part of the advice is don't buy snake oil crypto, get the good stuff. By good I mean well-accepted algorithms (not proprietary for extra security!), and protocols that have received serious analysis. I also want to

Re: [cryptography] Non-governmental exploitation of crypto flaws?

2011-11-28 Thread Marsh Ray
On 11/28/2011 05:58 PM, Marsh Ray wrote: I heard it stated somewhere that an Apple product was using PBKDF2 with a work factor of 1. Does that count? Follow-up. It was Blackberry, not Apple: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3741 Vulnerability Summary for CVE-2010

Re: [cryptography] Non-governmental exploitation of crypto flaws?

2011-11-28 Thread Marsh Ray
On 11/28/2011 06:52 PM, Steven Bellovin wrote: On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote: On 11/28/2011 04:56 PM, Steven Bellovin wrote: I'm writing something where part of the advice is don't buy snake oil crypto, get the good stuff. By good I mean well-accepted algorithms

Re: [cryptography] Auditable CAs

2011-11-29 Thread Marsh Ray
On 11/27/2011 03:00 PM, Ben Laurie wrote: Given the recent discussion on Sovereign Keys I thought people might be interested in a related, but less ambitious, idea Adam Langley and I have been kicking around: http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf. Some

Re: [cryptography] Auditable CAs

2011-11-30 Thread Marsh Ray
On 11/30/2011 05:24 AM, Ben Laurie wrote: On Wed, Nov 30, 2011 at 1:18 AM, Marsh Rayma...@extendedsubset.com wrote: Perhaps the relevant property is certs issued by a browser-trusted CA or subordinate regardless of their visibility. If they are not visible, why would we care whether they

Re: [cryptography] Auditable CAs

2011-11-30 Thread Marsh Ray
On 11/30/2011 12:01 PM, Ben Laurie wrote: On Wed, Nov 30, 2011 at 5:16 PM, Marsh Rayma...@extendedsubset.com wrote: Perhaps you define this category of publicly visible certs as certs which display without warnings on default-configured browsers when presented by the correct site. ... On the

Re: [cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

2011-12-01 Thread Marsh Ray
On 12/01/2011 11:09 AM, Ben Laurie wrote: On Thu, Dec 1, 2011 at 4:56 PM, Marsh Rayma...@extendedsubset.com wrote:

  1   2   >